March had 93 healthcare data breach reports involving 500 or more records submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The number of breaches increased by 50% from February and increased by 41% year-over-year from March 2023. Over 90 reported data breaches in a month last happened in September 2020.
The very high number of data breaches happened because of a cyberattack on Ernest Health, a rehabilitation and long-term acute care hospital operator. A health system that encounters a breach impacting several hospitals is typically reported as just one breach. But in this case, a breach report was submitted individually for the 31 impacted hospitals. If only one breach report was submitted to OCR, March would only have 60 data breach reports, which is under the 66.75 breaches per month average over the last 12 months.
Despite the high breach total, the number of people impacted by healthcare data breaches dropped to its lowest for the fourth month since January 2023. From the 93 reported data breaches, there were 2,971, 249 individuals’ protected health information (PHI) compromised or impermissibly exposed.
Largest Healthcare Data Breaches in March 2024
In March, there were 18 data breaches affecting the PHI of 10,000 or more people reported. All 18 were caused by hacking. Risa’s Dental and Braces, a dental care provider in Pennsylvania reported the biggest breach this month. Although the breach report was made in March, it happened 8 months ago in July 2023. Emergency Medical Services Authority in Oklahoma also reported a similar-sized data breach. Hackers acquired access to its system in February and stole records that contained names, addresses, birth dates, and Social Security numbers.
Philips Respironics, a respiratory care products provider, at first reported a hacking incident to OCR that affected the PHI of 457,152 people. Hackers acquired access to the system of billing service provider M&D Capital Premier Billing in Queens, NY in July 2023. Files that contain the PHI of 284,326 people were stolen. Yakima Valley Radiology in Washington reported an August 2023 hacking incident that affected the PHI of 235,249 people. Designed Receivable Solutions, a California debt collection agency, encountered a breach involving the PHI of 129,584 people. The details of the breach are unknown since there were no public statements except for the breach report sent to OCR.
1. Risas Dental & Braces – 618,189 individuals affected by a hacking incident
2. Emergency Medical Services Authority – 611,743 individuals affected by a hacking incident
3. Philips Respironics – 457,152 individuals affected by the exploited MoveIT Transfer software vulnerability
4. M&D Capital Premier Billing LLC – 284,326 individuals affected by a hacking incident
5. Yakima Valley Radiology, PC – 235,249 individuals affected by a hacked email account
6. Designed Receivable Solutions, Inc. – 129,584 individuals affected by a hacking Incident
7. University of Wisconsin Hospitals and Clinics Authority – 85,902 individuals affected by a compromised email account
8. Aveanna Healthcare – 65,482 individuals affected by compromised email account
9. Ezras Choilim Health Center, Inc. – 59,861 individuals affected by a hacking incident with data theft
10. Valley Oaks Health – 50,034 individuals affected by a hacking incident
11. Family Health Center – 33,240 individuals affected by a ransomware attack
12. CCM Health – 28,760 individuals affected by a hacking incident
13. Weirton Medical Center – 26,793 individuals affected by a hacking incident
14. Pembina County Memorial Hospital – 23,811 individuals affected by a hacking Incident with data theft
15. R1 RCM Inc. – 16,121 individuals affected by a hacking incident with data theft
16. Ethos, also called Southwest Boston Senior Services – 14,503 individuals affected by a hacking incident
17. Pomona Valley Hospital Medical Center – 13,345 individuals affected by a ransomware attack on a vendor subcontractor
18. Rancho Family Medical Group, Inc. – 10,480 individuals affected by a cyberattack on KMJ Health Solutions, a business associate
Causes of and Location of Compromised PHI
In March, 76 data breaches were categorized as hacking/IT incidents and affected the data of 2,918,585 people, which is 98.2% of all breached records. The average and median breach sizes were 38,402 records and 3,144 records, respectively. Hacking incidents are more difficult to identify because little data regarding the incidents is usually revealed in breach notifications, for example, if ransomware or malware was employed. The insufficient data makes it difficult for the people impacted by the breach to evaluate the degree of risk they are facing. Breach notices describe these breaches as cyberattacks that prompted network disruption, which implies they were ransomware attacks.
11 data breaches were due to unauthorized access/disclosure affecting 36,533 records. The average and median breach sizes were 3,321 records and 1,956 records, respectively. Four data breaches involved theft and one data breach involved loss, affecting 15,631 records. The average and median breach sizes were 3,126 records and 3,716 records, respectively. One incident involved the improper disposal of approximately 500 records. Breached PHI was most commonly located in network servers, which is according to the number of hacking incidents, then by breached email accounts.
According to the OCR data breach website, 77 data breaches reported by healthcare providers affected 2,030,568 records, 10 breaches reported by business associates affected 920,522 records, and 6 data breaches reported by health plans affected 20,159 records. OCR explained in its Q&A for healthcare companies impacted by the Change Healthcare ransomware attack that the HIPAA-covered entity is responsible to report breaches of PHI when the breach happens at a business associate; nevertheless, the burden for sending notifications can be assigned to the business associate. In some instances, the business associate reports the data breaches that occur at business associates for certain impacted covered entity customers, and a few covered entities choosing to send the notifications themselves.
Geographical Location of Healthcare Data Breaches
The data breach reports submitted by HIPAA-covered entities were from 33 U.S. states. Texas submitted 16 breach reports, but 8 were associated with the breach incident at Ernest Health hospitals. California submitted 10 breach reports, with 3 associated with Ernest Health hospitals. New York submitted 7 breach reports.
Other states had reported the following number of breaches: Pennsylvania reported 6, Indiana reported 5, Florida and Colorado reported 4; Illinois, South Carolina and Ohio reported 3 each; Arizona, Idaho, Michigan, Massachusetts, Minnesota, North Carolina, New Mexico, Oklahoma & Utah reported 2 each; and Alabama, Georgia, Kentucky, Kansas, New Jersey, Nevada, North Dakota, Tennessee, Oregon, Virginia, Washington, Wisconsin, West Virginia, & Wyoming reported one each.
March 2024 HIPAA Enforcement Activity
Phoenix Healthcare was found to have violated the right of a daughter to be provided with a copy of her mother’s health records when the daughter acted as the mother’s representative. The provider gave the required records after 323 days, which violated the HIPAA Right of Access, and had to pay a $250,000 financial penalty.
Phoenix Healthcare asked to have a hearing with an Administrative Law Judge. The judge sided with the violations but lowered the financial penalty to $75,000. Phoenix Healthcare made a plea concerning the penalty and the Departmental Appeals Board confirmed the ALJ’s judgment; nevertheless, OCR gave Phoenix Healthcare the chance to resolve the violations by paying $35,000, if Phoenix Healthcare consented to no longer question the Departmental Appeals Board’s decision.